Typescript Unsafe Setcontent User Input

Description

Detects potential HTML code injection vulnerabilities in Playwright test automation code where untrusted content is passed to setContent() method. This can allow attackers to inject and execute malicious HTML/JavaScript code in the browser context if user input is not properly sanitized.

Weakness:

100 - Server-side request forgery (SSRF)

Category: Deceptive Interactions

Detection Strategy

• Check for calls to Playwright's setContent() method in test automation code

• Identify if the content parameter contains or is derived from user-controlled input

• Report a vulnerability if unsanitized user input can reach the setContent() call

• Look for data flow from input sources (like request parameters, files, or variables) to setContent() calls

Vulnerable code example

const { chromium } = require('playwright');

async function renderContent(userHtml) {
  const browser = await chromium.launch();
  const page = await browser.newPage();
  
  await page.setContent(userHtml);  // Vulnerable: Directly renders untrusted HTML from user input
  ...

✅ Secure code example

const { chromium } = require('playwright');
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');

async function renderContent(userHtml) {
  // Create DOMPurify instance with jsdom to sanitize HTML
  const window = new JSDOM('').window;
  const DOMPurify = createDOMPurify(window);...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.